Privacy challenges transparency – how can GDPR and MiFID II be reconciled?
January 12, 2018
For players in the finance sector, 2018 will be an even more burdensome year than usual for two reasons: the implementation of the Markets in Financial Instruments Directive (MiFID II), which took effect on January 3, 2018, and application of the EU’s General Data Protection Regulation (GDPR), which begins on May 25, 2018, right before summer.
Conflict: more information for investors – and as little data as possible
The financial crisis that started in 2008 and development of the market necessitated a re-examination of investment services, investor protection, and financial instruments trading. The outcome was the creation of MiFID II. The GDPR, in turn, is a response to the prevailing era of big data. The Economist recently declared that data is the new oil, the world’s most valuable commodity, which, however, has tremendous privacy-related challenges associated with it.
At the heart of MiFID II is increased transparency by collecting and disseminating even more information to investors; the GDPR, in turn, emphasizes the acquiring and storing of only the necessary amount of data. A conflict between the two compulsory regulations seems evident.
Tight requirements for employee-related data
MiFID II’s strict obligations regarding employees have often emerged in our customers’ MiFID II implementation projects. Players must collect and store detailed information about the entire assignment chain – starting with the first customer contact and ending with the reporting of the implemented transaction. To fulfill the obligation, the data to be stored is accumulated from, e.g., employee phone calls and trade information. Because of the inspections monitoring compliance with the process, the collected data is examined through, e.g., recorded phone calls.
At the same time, many customers have also been implementing the GDPR, within which framework customer data pools and streams have been identified and their management made more reasonable.
These two projects have been on a collision course, as one aims to increase the data collected while the other aims to decrease it.
Transparency is ultimately shared
However, a clear order of application and logic can be found between the regulations. The conflict dissipates when you understand the transparency to be an essential element also in the GDPR. If special legislation requires the player to collect and store data about employees, for example, this does not go against the GDPR’s obligations, as long as the GDPR game rules are followed.
Things go awry if there is no GDPR-aligned legal basis for the processing of the collected data. Because of MiFID II, the legal basis for the processing is MiFID II itself, the obligations set for the player by the special legislation. If there is a legal basis for the processing of the data, the data can be handled and stored. If no legal basis for the processing exists, the data must be deleted (and certainly also upon expiration of the storage period required by the legislation).
Ultimately, the aim of the GDPR is, in fact, consistent with the ideology of MiFID II: create practices that better secure customers’ rights and openly communicate these practices to customers.
Anna Bernitz, Senior Associate, tel. +358 40 838 4965, firstname.lastname@example.org